In recent weeks, we have seen an increase in the number of phishing attempts made to businesses as cybercriminals take advantage of the coronavirus (COVID-19) pandemic. It has become so prolific – and successful – that numerous IT security firms and law enforcement agencies, including the FBI, have released warnings.
The most common attack has been, as always, in the form of an email. Most are preying on users’ concern and thirst for information, as content posing as Coronavirus health advice, educational content or financial relief encourages them to click on links and download/open Word documents and PDFs. If these are clicked on or opened, malware or ransomware infects the device and compromises the network.
Despite the increase in security technology deployment – like anti-virus, malware, ransomware and SPAM – combined with strict processes, according to Accenture Security’s 2019 Cost of Cybercrime report, 85% of organizations still reported phishing and social engineering attacks in the last 12 months.
This is because a business’s biggest weakness to IT security, no matter what controls they have in place, is their employees. And during these bizarre times, the threat your workforce poses has never been greater.
Widespread and long-term working from home creates additional security threats that most businesses are unprepared for, making it a perfect hunting ground for phishing attempts.
Persistent and unavoidable reliance on unsecured home networks
Likely use of employees’ own devices
Greater difficulty of verifying email instructions in person
The difficulty of continuous reinforcement of the security threats
Natural human susceptibility
It’s a lethal combination.
The secret is to educate your team on how social engineering works, and what to be mindful of – not just in terms of the recent COVID-19 threats, but also more widely.
Social engineering – What does this mean?
Social engineering is the use of psychological manipulation to convince and trick people into providing confidential and/ or personal information. This tactic also involves sending links or documents in emails and text messages as well as across social media, that when clicked on could infect users devices or entire networks with malware or ransomware.
Types of Social Engineering:
Phishing:
Phishing attempts are one of the most common types of social engineering attacks. This is where cybercriminals use increasingly convincing communications such as an email or SMS message, and make it appear to come from an employee, a supplier, or even a financial institution.
These messages will require you to click a link to either an infected page or to a website impersonating a well-known brand requesting you to “log in” (see typosquatting below). They can also include malicious attachments such as Word, Excel or PDFs and encourage the user to download or open the files. Successful attacks often inject malware or ransomware into an organizations network, crippling business operations and financials.
For example, Travelex and Garmin, both suffered a ransomware attack earlier this year, and are still impacted by the attack. The impact of these attacks would have been minimal if proper IT security practices and processes were in place, as well as ongoing employee security awareness training. You can read more about these attacks, plus how to prevent them, here.
SMiShing:
SMiShing uses text messaging or messaging apps such as WhatsApp to send and encourage users to click on malicious links and to give away personal information. Recently there has been a rise in SMiShing attacks spoofing government agencies such as health care, and financial institutions offering to give away information regarding the COVID-19 pandemic.
However, SMiShing attempts can also like they have come from utility providers, online retail organizations and payment apps.
Whaling:
A whaling attack is a form of “phishing” and is communication designed to look like it has come from a senior member of an organization and targets high profile individuals or company executives and aims to steal sensitive information, gain access to the system or request a financial transaction. It can be in be emails, phone calls or text messages and is often referred to as CEO fraud.
Vishing:
Vishing is a voice-based phishing attack and is often someone posing as an executive of the organization or a contact from a known partner or supplier, requesting financial payments or information. The caller often sounds angry, irritated or panicked, which causes a stressful situation, often making the employee more likely to comply.
Baiting:
Baiting often pretends to offer something appealing such as free downloads, or for example, offering free healthcare advice about COVID-19. This is also known as “clickbait”.
Typosquatting:
Typosquatting is when a cybercriminal will obtain domains with URLs similar to well-known organizations and rely on users to make typos and errors when typing in the URL. Unfortunately, these fraudulent sites can look so authentic that they request login and payment details or install malware onto a device solely by just landing on the page.
Social Media:
Social Media is a tool that increasingly being used for up-to-date news and is providing cybercriminals with a platform to set up fake accounts to promote “click-bait” posts, often masquerading as news, health care and financial advice.
Additionally, with more people documenting their personal lives on social media such as Facebook, Instagram and Twitter and unknowingly giving away personal information, it becomes easy for hackers to use the platform to find answers for passwords and IT security passwords such as the names of peoples’ relatives and pets.
How do I protect myself and my business from social engineering?
Here are a few tips on how users can avoid and combat social engineering attacks:
Do not open any links or attachments in emails from untrusted sources.
Be vigilant when opening any attachments, even when the email appears to be from someone you know. If you’re unsure, ask them.
Hover above a URL to verify beforehand, check for typos or wrong domains, if you’re still unsure, do not click on it!
If an email looks like it’s coming from someone you know but is asking for valuable company information or for financial transactions, usually with urgency, double-check the email address and verify this with a phone call to the sender.
Do not be fooled by “clickbait” offers!
Be wary of social media – how much personal information are you giving away? Don’t be tempted to click on links offering discounts or advice and news.
Ensure you use trusted media outlets and official healthcare websites to look for the latest news, information and advice.
Always use strong passwords or passphrases.
Don’t be afraid to ask questions and report anything that looks suspicious.
How Calligo can help
Calligo’s award-winning IT Managed Services includes IT Security services that address all three pillars of IT security and keep your business continuously protected from all attack types.
Our IT Security Services include:
Strategic security consultancy
Anti-virus, anti-malware, anti-ransomware and anti-SPAM
Security audits
Patch management
Penetration testing
Employee cybersecurity awareness training
Back-up & disaster recovery
Multi-Factor Authentication